On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote: >> PS: when security is hard, people simply don't do it. Blaming the victim >> of poor engineering that leads people to not be able to perform best >> practices is not the answer. > > Passwords suck, but they are the best that we have at the moment in terms of > being cheap and free from infrastructure - see http://goo.gl/3lggk > > We've been in a bubble for the past few years, where Moore's law hardware had > not quite caught up with the speed of SHA and MD5 password hashing throughput > for effective brute force guessing; that bubble is well and truly burst. > > Welcome back to 1995 where the advice is to change your passwords frequently, > because it has a half-life of usefulness imposed upon it from (a) day to day > external exposure and (b) the march of technology - and keep your hashing > algorithms up to date, too. See http://goo.gl/iL9EP for suggestions. > > Have a nice weekend, > > -a >
Would it really be that hard to release a coordinated One-Time Password system that consumers could readily use across multiple sites? Owen
